Class Action Suits for Cybersecurity Breaches

What is a class action?

Since the 1820 case of West v. Randall, the class action lawsuit has been firmly
established as a powerful tool in the federal judicial system of the USA. A class action
enables a large group of individuals, which is generally understood to mean 20 or more
persons, who have identical or similar claims to come together to collectively sue an
adverse party in a lawsuit. This form of litigation offers benefits to both plaintiffs and
defendants. Additionally, it is hugely beneficial to the court system as a time-saving
device. Nonetheless, class actions also present difficulties.

Situations in which a defendant’s actions or conduct have negatively affected many
people in a comparable manner are generally well suited for a class action lawsuit.
Class action cases often concern things like defective products, environmental or
pollution claims, securities fraud, or mass casualties such as aircraft or railway

There are four legal requirements for a class action:

1) The class must be so large that it would be impractical to join all the people who
have similar claims as actual parties to the case.
2) The members (or plaintiffs) of the class suit all must have largely similar claims.
The claims must share questions of law or fact.
3) The claims of the plaintiffs who act as class representatives should be typical of
the claims of the entire class.
4) The class representatives and the attorneys who represent the plaintiffs must
have the ability, skills, experience and resources to adequately represent the

When a cyberattack, or an accidental data leak, occurs, the personal data of many or all
of the target’s data subjects may be compromised. The more subjects, and the more
sensitive the personal data, the greater the risk. One does not need to be a legal or data
security expert to recognise that when the four legal requirements outlined above are
applied to the context of a significant data breach, a class action may be the most
suitable way for data subjects to enforce their rights. For example in March 2024, AT&T
publicly acknowledged that it had suffered a breach which appeared to have
compromised the personal data of 7.6 million current account holders and some 65.4
million former account holders. The sheer numbers of people involved would overwhelm
the court system should each person file an individual lawsuit, the similarity of the facts

In each case also means that a great deal of repetition could be avoided if the claims
could be addressed together as a class action.

Protection of your organization

The rapid advancement of technology has led to more and more of our lives moving
online. This increase in data generation, collection, storage, and treatment has
consequently created a context where cybersecurity breaches are now a grave threat to
businesses of all sizes. Companies are increasingly vulnerable to cyberattacks, which
can result in severe consequences including financial losses, reputational damage, and
legal repercussions such as fines. The legal repercussions following a cybersecurity
breach may also include class action lawsuits. It is essential to fully grasp the
implications of such lawsuits in order to take proactive steps through data security
consultation and training that can safeguard your organization against potential legal

The increase in cybersecurity breaches

It can be said that a cybersecurity breach has occurred when unauthorized individuals
have successfully gained access to confidential data. Such breaches often lead to the
exposure of sensitive information including personal client details, financial records,
intellectual property, and private correspondence. The augmentation in the number of recorded cyberattacks has been aided by factors such as ever increasing internet
connectivity, more sophisticated hacking techniques, and substandard security

Data breaches often occur due to banal reasons or innocent mistakes, such as an
employee losing a company device or emailing confidential information to the incorrect
person. Malicious insiders may also pose a risk to data security ; disgruntled or former
employees may deliberately reveal private data. Hackers, obviously, pose a risk.
Hackers are malicious outsiders who intentionally commit cybercrimes in order to steal
or freeze access to data. Unsurprisingly, money is normally the motivation for malicious
attacks and hackers may attempt to steal credit card numbers, bank account details, or
other financial information in order to extract funds from people and companies

That said, sometimes other motivations are at play : activist groups may target
organizations or businesses that they are ideologically opposed to (e.g. the Ashley
Madison hack of 2015), and foreign powers undoubtedly engage in cyber espionage and
cyber warfare.

Class action lawsuits

When a data breach occurs, the individuals affected can come together to file a class
action lawsuit against the organization or company responsible. For businesses who
have suffered a breach, this may mean dealing with significant legal fees and
compensation payouts.

A cybersecurity breach class action lawsuit typically alleges that the company did not
implement the necessary security measures, failed to promptly inform the affected
individuals about the breach, or was incompliant with the applicable data protection

The Cost

The financial impact of such lawsuits cannot be understated. Settlements in
cybersecurity cases can amount to millions of dollars. For example, in 2022 T-Mobile
agreed to pay $350 million in settlement of multiple class-action suits stemming from a
2021 data leak. In addition to the direct financial costs, businesses may also face higher
insurance premiums, legal fees, and be required to take action to prevent future
breaches by investing in stronger security measures.

Key steps in data security consultation and training

It is crucial to protect your organization from the catastrophic impacts of cybersecurity
breaches and the class action lawsuits which will inevitably result. Investment in
extensive data security consultation and training is essential. As a minimum, the
following steps should be taken:

1. Assessment of risk: Carry out a comprehensive evaluation of the organization’s
present cybersecurity posture in order to identify vulnerabilities and potential
threats. This will involve evaluating IT infrastructure, data handling procedures,
and current security measures.

2. Development of Security Policy: Implementation of robust security policies that
comply with both regulations and industry standards. As a minimum, this should
include data encryption, access control security, and incident response

3. Staff Training: Staff must be trained in the importance of good cybersecurity.
Regular training sessions concerning the best practices for data protection
should be provided. Human error is one of the leading causes of data breaches,
and sensitizing employees is the first line of defense in avoiding such problems.

4. Audits and Updates: Regular monitoring and auditing of security systems should
be realized so as to ensure that they are up to date and functioning at the
optimum level. Periodic software and hardware updates are also essential.

5. Incident Response: A comprehensive incident response plan that will quickly
address and mitigate the impact of a data breach should be developed. The plan
must include clear protocols for communication, investigation, and recovery.

With the rising threat of cybersecurity breaches, protecting a business from class action
lawsuits requires proactive and thorough security measures. Investment in data security
consultation and training is essential. All organizations which process personal data
need to fortify defenses, minimize the risk of breaches, and guarantee compliance with
the relevant legal requirements.

Photo Credit: Dall-E / Defensorum

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Eoin Campbell

Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified lawyer. Eoin has moved from practicing law to lecturing. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data privacy. He is an expert on data privacy laws.